Wisetail Technical Support
For all your Wisetail Technical Support Needs
  1. Wisetail Technical Support
  2. Documentation
  3. Process Guides
  4. SSO

Single-Sign-On Certificate Renewal

Created:
Updated:
Avatar
by David Moczygemba
Follow
SAML Certificate Expiration: What You Need to Know

Overview

SAML certificates are essential for secure single sign-on (SSO) authentication between your identity provider and Wisetail or Wisetail and your service provider. When these certificates expire, your users won't be able to log in via SSO. This guide helps you understand what to expect and what you need to do when certificates are approaching expiration.

⚠️ Important: Certificate expiration will prevent SSO logins. Planning ahead is crucial to avoid service interruptions for your users.

Understanding Your SAML Configuration

Wisetail can work with your SSO setup in two different ways, and the certificate management process depends on which role we're playing:

When Wisetail Acts as Your Identity Provider (IdP)

In this setup, Wisetail is managing the authentication and sending user information to your other system(s).

✅ Good News: Our certificates don't expire for 10 years, so you won't need to worry about this very often!

What Happens When Our Certificate Needs Renewal:

  • We automatically get notified 30 days before our certificate expires
  • We'll create a proactive support ticket and reach out to your primary contact
  • You'll work with your IT department or third-party vendor to load the new certificate on your service provider
  • We'll coordinate the timing with you to ensure a smooth transition

When Wisetail Acts as Your Service Provider (SP)

In this setup, your identity provider (like Active Directory, Okta, or another system) handles authentication and sends user information to Wisetail.

💡 Important to Know: We can't see when your identity provider's certificates are about to expire, so we're counting on you to let us know when renewal is needed.

What You Need to Do:

  • Watch for expiration notifications from your IdP vendor or IT department
  • Create a support ticket with us as soon as you know renewal is needed
  • We'll work with you and your identity provider to load the new certificate
  • We'll coordinate the timing to minimize any impact on your users

How to Get Support

Creating a Support Ticket

When you need help with certificate renewal, here's how to reach us:

  1. Go to our support site: https://wisetail.zendesk.com/hc/en-us/
  2. Create a new support ticket
  3. Include these details in your ticket:
    • That you need SAML certificate renewal
    • Your preferred timeline for the change
    • You may want to request Wisetail temporarily add a CC contact on your support ticket for better communication with all parties
    • Any specific scheduling requirements

What to Expect from Our Support Process

Here's how we typically handle certificate renewals:

  • Coordination Call: We'll set up a call with you, our technical support team, and your identity provider or IT vendor contact
  • Timing: We'll work with everyone to find a time that minimizes impact on your users
  • Testing: We'll have at least one of your users test the login process after we make the change
  • Verification: We'll make sure everything's working properly before considering the change complete

Planning Ahead for Success

What You Can Do Now

✅ Pro Tips for Smooth Certificate Renewals:
  • Know who manages your identity provider (internal IT team or external vendor)
  • Set up monitoring or reminders for certificate expiration dates
  • Keep your primary contact information updated with us
  • Plan renewals well in advance of expiration dates
  • Have a test user account ready for post-renewal verification

When to Start the Renewal Process

We recommend starting the renewal process:

  • 30-60 days before expiration for complex environments
  • At least 2 weeks before expiration for standard setups

What Happens If a Certificate Expires

⚠️ If a Certificate Expires:
  • SSO logins will stop working immediately
  • Your users won't be able to access Wisetail via single sign-on
  • You'll need to create an urgent support ticket with us
  • You may also need to contact your identity provider's support team
  • Resolution time depends on how quickly we can coordinate with all parties

Emergency Steps if SSO Stops Working

  1. Create an urgent support ticket at https://wisetail.zendesk.com/hc/en-us/
  2. Contact your identity provider or IT team immediately
  3. Be prepared to coordinate a three-way call between you, us, and your IdP vendor
  4. Have a test user ready to verify the fix once we implement it

Common Scenarios and Solutions

Your Identity Provider is Vendor-Managed

If you're using a service like Okta, Azure AD, or another managed identity provider:

  • Your vendor should notify you about upcoming certificate expirations
  • They may handle some of the renewal process automatically
  • You'll still need to coordinate with us for any changes on the Wisetail side
  • Keep both your vendor and us in the loop throughout the process

Your IT Team Manages Your Identity Provider

If your internal IT team manages your identity provider:

  • Make sure they're monitoring certificate expiration dates
  • They'll need to coordinate with you and our technical support team
  • Plan for additional time if your IT team isn't familiar with SAML certificate renewal
  • Consider having your IT team review this guide ahead of time

Testing and Verification

What We'll Test After Certificate Renewal

Once we've updated your certificate, here's what we'll verify:

  • Login Process: A test user can successfully log in via SSO
  • User Information: Correct user data is being passed from your IdP to Wisetail
  • Session Management: Users can navigate Wisetail normally after login
  • Logout Process: SSO logout works properly if configured

What You Should Test

After we confirm everything's working on our end, we recommend you test:

  • Login with different user types (admin, regular user, etc.)
  • Access to different areas of Wisetail based on user permissions
  • Any custom SSO configurations specific to your organization

Troubleshooting Common Issues

Issues You Might Encounter

Users Getting Login Errors

If users are seeing error messages when trying to log in:

  • Check if the certificate renewal is complete on both sides
  • Verify the timing - changes might take a few minutes to propagate
  • Try logging in with a test account first
  • Contact support if errors persist after 15 minutes

SSO Works But Something Seems Off

If login works but user information isn't correct:

  • This might indicate an issue with how user attributes are being passed
  • Check with your identity provider about attribute mapping
  • Let us know what specific information is missing or incorrect

Getting Additional Help

If you're experiencing issues after certificate renewal:

  • Update your existing support ticket with specific error messages
  • Include screenshots of any error screens users are seeing
  • Let us know which users are affected and which ones can log in successfully
  • Be prepared for a troubleshooting call with our technical support team and your provider

Best Practices for Certificate Management

✅ What Works Best:
  • Plan ahead: Don't wait until the last minute to start renewal
  • Communicate early: Let us know as soon as you're aware of upcoming expiration
  • Coordinate timing: Schedule changes during low-usage periods when possible
  • Test thoroughly: Verify everything works before announcing the change to users
  • Keep records: Document when certificates were renewed for future reference

Building Strong Support Relationships

Certificate renewals go smoothest when everyone knows their role:

  • You: Monitor expiration dates and initiate the renewal process
  • Your IT team/vendor: Handle the technical aspects of certificate generation and installation
  • Wisetail: Update our configuration and coordinate testing

Frequently Asked Questions

Can I see when my certificates will expire?

Unfortunately, you can't see certificate expiration dates from within Wisetail. You'll need to check with your identity provider or IT team for this information.

Will there be downtime during certificate renewal?

If we coordinate the renewal properly and replace the certificate before it expires, there should be minimal or no downtime. However, if a certificate expires before renewal, SSO will be unavailable until we can implement the new certificate.

Is there a cost for certificate renewal support?

Certificate renewal support is included as part of your Wisetail service. There's no additional charge for our technical support team to help with this process.

How often do certificates need to be renewed?

This varies by identity provider. Some certificates expire annually, others every two or three years. When Wisetail acts as the identity provider, our certificates are valid for 10 years.

What if users need to access Wisetail while SSO is down?

If SSO is unavailable, users with local Wisetail accounts may still be able to log in directly. However, most SSO-enabled organizations don't maintain local accounts for all users. Contact support to discuss temporary access options if needed.

Ready to Get Started?

Certificate management doesn't have to be stressful. Here's what you can do right now:

  1. Check your current setup: Do you know who manages your identity provider?
  2. Find out expiration dates: When do your current certificates expire?
  3. Set up monitoring: Put reminders in place so you don't miss renewal deadlines
  4. Bookmark our support site:https://wisetail.zendesk.com/hc/en-us/
💡 Remember: We're here to help make certificate renewal as smooth as possible. The key is communication and planning ahead. When in doubt, reach out to our support team - we'd rather help you plan than scramble to fix an expired certificate!

Contact Support

Need help with SAML certificate renewal or have questions about your SSO setup?

  • Support Site:https://wisetail.zendesk.com/hc/en-us/
  • What to Include: Your organization name, current SSO setup details, and timeline for renewal
  • Response Time: We'll get back to you within one business day for standard renewals, faster for urgent issues

Our technical support team has experience with all major identity providers and can help make your certificate renewal process smooth and successful.